Change log for CISCO_WIRELESS
| Date | Changes |
|---|---|
| 2025-04-15 | Enhancement:
- Added Gsub to replace "\\n" with " " on "message" to parse the logs. - Added GROK patterns to parse new pattern of syslog logs. - event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname: Newly mapped `principal_hostname` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.target.hostname,event.idm.read_only_udm.target.asset.hostname: Removed mapping of `wlc_controller` from `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM field when `mnemonic`is `USER_NAME_CREATED` in include file "cisco_wireless.include". - event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname: Mapped `wlc_controller` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field when `mnemonic` is `USER_NAME_CREATED` in include file "cisco_wireless.include". - Added GROK patterns to parse dropped logs when `mnemonic` is `RADIUS_IN_GLOBAL_LIST` in include file "cisco_wireless.include". - Added "else if" conditional check when `mnemonic` is `CLIENT_MOVED_TO_RUN_STATE` in include file "cisco_wireless.include". - event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname: Newly mapped `principal_hostname` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.principal.ip: Newly mapped `src_ip_1` raw log field with `event.idm.read_only_udm.principal.ip` UDM field when `mnemonic` is `CLIENT_MOVED_TO_RUN_STATE` in include file "cisco_wireless.include". - event.idm.read_only_udm.principal.ip: Newly mapped `src_ip_2` raw log field with `event.idm.read_only_udm.principal.ip` UDM field when `mnemonic` is `CLIENT_MOVED_TO_RUN_STATE` in include file "cisco_wireless.include". - Added "else if" conditional check when `mnemonic` is `AUTHENTICATION_TRAP` in include file "cisco_wireless.include". - event.idm.read_only_udm.principal.mac: Newly mapped `mac1` raw log field with `event.idm.read_only_udm.principal.mac` UDM field when `mnemonic` is `AUTHENTICATION_TRAP` in include file "cisco_wireless.include". - event.idm.read_only_udm.principal.mac: Newly mapped `mac2` raw log field with `event.idm.read_only_udm.principal.mac` UDM field when `mnemonic` is `AUTHENTICATION_TRAP` in include file "cisco_wireless.include". - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `slot` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field when `mnemonic` is `AUTHENTICATION_TRAP` in include file "cisco_wireless.include". - event.idm.read_only_udm.principal.user.userid: Newly mapped `username` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field when `mnemonic` is `AUTHENTICATION_TRAP` in include file "cisco_wireless.include". - event.idm.read_only_udm.principal.ip,event.idm.read_only_udm.principal.asset.ip: Newly mapped `src_ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field when `mnemonic` is `AUTHENTICATION_TRAP` in include file "cisco_wireless.include". - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `ssid` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field when `mnemonic` is `AUTHENTICATION_TRAP` in include file "cisco_wireless.include". - event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname: Newly mapped `principal_hostname` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field when `mnemonic` is `AUTHENTICATION_TRAP` in include file "cisco_wireless.include". - event.idm.read_only_udm.metadata.event_type: if `has_principal_user` is true set `event.idm.read_only_udm.metadata.event_type` to `USER_UNCATEGORIZED`, else if `has_principal` is true set it to `STATUS_UPDATE` otherwise set it to `GENERIC_EVENT` when `mnemonic` is `AUTHENTICATION_TRAP` in include file "cisco_wireless.include". - Added `on_error` when mapping `ap_mac` to `event.idm.read_only_udm.target.mac` in include file "cisco_wireless.include". |
| 2024-09-25 | Enhancement:
- Added support for new pattern of syslog logs. |
| 2024-09-25 | Enhancement:
- Added support for new pattern of syslog logs. |
| 2024-05-28 | Enhancement -
- Mapped "MessageSourceAddress" to "principal.ip" and "principal.asset.ip". - Mapped "SourceModuleName" and "SourceModuleType" to "principal.resource.attribute.labels". - Mapped "intermediary_hostname" to "intermediary.hostname". |
| 2024-03-18 | Enhancement -
- Added new Grok patterns to support new pattern of syslog logs. - Mapped "version" to "metadata.product_version". - Mapped "client_host", and "hostname" to "principal.hostname". - Mapped "client_ip" to "principal.ip". - Mapped "client_mac" to "principal.mac". - Mapped "ap_ip" to "target.ip". - Mapped "ap_mac" to "target.mac". - Mapped "messageToProcess" and "description" to "metadata.description". - Mapped "inter_url" to "intermediary.url". - Mapped "inter_ip" to "intermediary.ip". - Mapped "sec_desc" to "security_result.description". - Mapped "latest_version", "current_version", "certificate", "expiry_date", "clostest_sensor", "ssid", "client", "xid", "failure_reason", "auth_failure_reason", and "interface" to "security_result.detection_fields". - Aligned mappings for "principal.hostname" and "principal.asset.hostname". - Aligned mappings for "target.hostname" and "target.asset.hostname". - Aligned mappings for "principal.ip" and "principal.asset.ip". - Aligned mappings for "target.ip" and "target.asset.ip". - Mapped "action_data" to "security_result.acion_details". - Mapped "username" to "principal.user.userid". - Mapped "vendor", and "RSSI" to "principal.resource.attribute.labels". - Mapped "vendor", "security_setting", "channel", "protocol", and "RSSI" to "target.resource.attribute.labels". |
| 2024-01-10 | Enhancement -
- Added Grok patterns to parse newly ingested unparsed logs. - Handled logs when the value of "mnemonic" is not null and the value is "SEC_LOGIN-5-LOGIN_SUCCESS" and "CRL_LDAP_QUERY". - Mapped "msg1" to "metadata.description". - Mapped "messageToProcess" to "metadata.description". |
| 2023-02-09 | Enhancement -
- Supported new logs which has field "PARSE_ERROR". - Added grok pattern to support new logs. |
| 2022-09-08 | Fix -
- Corrected a typo error: On line 1239 in include file added comment marker '#' proceeding to the word 'security'. |
| 2022-08-22 | Enhancement
- Moved customer specific parser changes to default parser - Added grok patterns to parse the drop logs - Removed drop tags to enhance the parser - Changed the field mapping of "event.idm.read_only_udm.metadata.event_type" from "GENERIC_EVENT" to "STATUS_UNCATEGORIZED" and "STATUS_UPDATE" - Mapped "messageToProcess" field to "event.idm.read_only_udm.metadata.description" - Mapped "src_ip" field to "event.idm.read_only_udm.principal.ip" - Mapped "wlc_controller" to "event.idm.read_only_udm.principal.hostname" - Mapped "event.idm.read_only_udm.metadata.event_type" to "USER_RESOURCE_ACCESS" |